X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=MLdEIOf8vIIrY+Yy DhD+oeIymxm82vNF9tTwPaK+Hu3n02xHYLRVh8Z++oqtVo7ag8CKdVv8PUXlLaBP /ktzINeDgA7wWlvw0ZVjciyooCsL8XayTMHuQormuGGgTAvaNWWo34evk55AoqvO P92Hq/KeEEtZZJyzXOZzAj+7Tyc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; s=default; bh=37QPmNH3E2Kn1JQr0X+Ccp 5EDxk=; b=LKkSx6j3lKedBtUoyjZuINp+KThkNTnU+XnJG1eSJlPhd+UhbkgtWd NqgYHQaDUxTEdoH6LDOIPLnMVZbYyo6r8oW8m0BPS+yFBf8Z8gZZou+s1i0HHIym 8nWVl0bd/VfzHigxGdIbtvAv0M+oZKsy4w7j96/NCyuKsCus+pOhs= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-6.0 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_2 autolearn=ham version=3.3.1 spammy=behaviors, Somehow, site X-HELO: Ishtar.sc.tlinx.org Message-ID: <5C86C415.3000807@tlinx.org> Date: Mon, 11 Mar 2019 13:24:53 -0700 From: L A Walsh User-Agent: Thunderbird MIME-Version: 1.0 To: archie DOT cobbs AT gmail DOT com CC: cygwin AT cygwin DOT com Subject: Re: SSL should not be required for open source downloading References: <1a840c2e-55ac-0ab4-66c4-a1f6a2c4f81a AT Shaw DOT ca> <41f12842-ea43-ff63-a660-26ee3b497c63 AT SystematicSw DOT ab DOT ca> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-IsSubscribed: yes On 3/11/2019 6:43 AM, Archie Cobbs wrote: > On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis > wrote: > >>>>> Is there any reason not to force this redirect and close this security hole? >>>>> >> There are apparently reasons not to force this redirect as it can also cause a >> security hole. >> > > That's really interesting. Can you provide more detail? > I know that was directed at Brian, but... Because if the assumption is that the site uses https or will redirect it, then to start the session the client would send startTLS parameters. If it so happens that part of the site, does not use https, then an attacker could grab those initial parameters. Somehow providing "opensource" binaries doesn't seem like the type of thing that needs or should even have encryption. > >>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant supporting clients can use to switch to communicating over HTTPS. Clients which are not compliant or don't support HTTPS may still download the programs and files. >>>> >>> I don't see how HSTS solves the particular issue that I'm referring to. >>> >> HSTS redirects requests from port 80 to 443 (HTTPS). >> > > Not for me. Well, actually I'm getting inconsistent results... > On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL. > FWIW, apple customizes their library behaviors and doesn't always follow the standards. > On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome > redirects. > --- HSTS is only set from HTTPS. If you only access the site in cleartext, that is what you will get. If you don't understand HSTS, perhaps reading and understanding the document would be good before promoting it -- just sayin'. -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple